Spinnaker URL Validation Vulnerability Allowing SSRF and Bypass of Previous CVE

A vulnerability in Spinnaker's URL validation logic for user input has been identified in both the Clouddriver and Orca components. This issue arises because Java's URL parsing does not properly handle underscores, allowing for the creation of URLs that bypass validation checks. As a result, users could exploit this flaw to access internal Spinnaker APIs or inject data into Spinnaker pipelines, potentially leading to the exposure of sensitive authentication information. The vulnerability affects Clouddriver versions prior to 2025.2.4, 2025.3.1 and 2026.0.0, as well as Orca versions prior to 2025.2.4, 2025.3.1 and 2026.0.0.

Impact

The vulnerability allows for Server-Side Request Forgery (SSRF) attacks, enabling users to fetch data from remote URLs and inject it into Spinnaker pipelines. This could be exploited to access sensitive information, such as authentication data, or to call internal Spinnaker APIs, depending on the artifact configuration.

Reproduction

The vulnerability can be reproduced by enabling an artifact that allows user input of URLs, such as GitHub file artifacts or HTTP artifact providers. Once the artifact is enabled, a URL containing underscores can be crafted to bypass the validation and fetch data from a remote source, which can then be injected into a Spinnaker pipeline.

Remediation

Users can update to Clouddriver versions 2025.4.1, 2025.3.1, 2025.2.4 or 2026.0.0, and Orca versions 2025.4.1, 2025.3.1 or 2026.0.0. Instructions for updating can be found in the Spinnaker documentation.